Digital sleuthing uncovers hacking costs

It took the intruder less than a minute to break into the university's computer via the Internet, and he stayed less than a half an hour. Yet finding out what he did in that time took researchers, on average, more than 34 hours each.

That inequity--highlighted during the Forensic Challenge, a contest of digital-sleuthing skills whose results were announced this week--underscores the costs of cleaning up after an intruder compromises a network, said David Dittrich, senior security engineer at the University of Washington and the lead judge in the contest.

"This guy can do all that damage in a half an hour," he said. Dittrich estimated that those 34 hours would cost a company about $2,000 if the investigation was handled internally and more than $22,000 if a consultant was called in.

"Those are conservative estimates, as well," he said.

On Monday, Dittrich, and other members of a loose group of security experts known as the Honeynet Project, announced the winner of the Forensic Challenge. The contest pitted the reports of 13 amateur and professional cybersleuths against one another.

Each digital detective used decompilers, data recovery programs and other forensic tools to uncover as much information as possible. The entries consisted of a memo to fictional upper management, a security advisory, and an in-depth analysis of the evidence uncovered by the contestant's digital detective work.

The winner of the contest, Thomas Roessler, a student in mathematics at the University of Bonn in Germany, has dabbled but not done digital forensics work in the past.

"First: It's always amazing how much information you can get out of a system by using rather basic tools," he said. "Second: You always miss something."

The contest was made more interesting by the fact that the attack was a real one, captured by one of the several "honeypots"--vulnerable computers connected to the Net and surreptitiously watched--run by the Honeynet Project.

In fact, the detectives produced several leads to the identity of the culprit. Lance Spitzner, the founder of the Honeynet Project and senior security architect at Sun Microsystems, said they would not prosecute the person responsible. Such online vandals are extremely common, he said.

"I would say this guy represents a very large and common percentage of the black-hat community--it's a threat that we all face," he said, estimating that 70 percent to 80 percent of so-called black-hat hackers--those who break into computers illegally--have comparable skills to the attacker who breached the computer.

The contest also helps illuminate why securing a computer is more cost effective than hiring consultants to come in and do the detective work afterward, said Fred Cohen, director of the online investigations program for the University of New Haven, Conn.

"It is a fairly extensive process to take what amounts to a bunch of garbage and build a comprehensive picture of what happened," he said. The costs of such investigations can easily amount to $20,000 per computer, he said.

Cohen, who both teaches forensics and works on actual cases, stressed that companies need to understand the difficulty, and costs, involved. "Companies tend to balk at agreeing to that kind of expense when there is no guaranteed payoff."

Dittrich also hoped that the contest would open the eyes of corporate executives, who all too often want a quick fix.

"If you just reinstall the system, do you know if you have plugged the hole that allowed the attacker to get in?" he asked. Most of the time, such quick fixes just mean the attacker gets another shot at the system. Some computers at the University of Washington have been compromised five times, he said.

"Multiple intrusions are occurring all over the place," he said.

The Honeynet Project plans to do another contest, said Dittrich, but it's a question of time. "I probably spent easily over 100 hours on this," he said. "There was a lot of work that was done just in the judging."

The next project would also focus on either a Solaris or a Windows NT/2000 computer, he said. Getting one would not be a problem, however.

Systems placed on the Internet don't last that long, Dittrich explained.

"If we really wanted to get another system, it would take less than a week. We are being scanned constantly. We could get the data ready rather quickly," he said.